Wednesday, 28 May 2014

In our previous discussions we go through 'What is Spring Security' and 'Custom login form in Spring Security', previously we have used XML based username and password to authenticate a user. In this particular blog we will see how to use username, password and role details from database to authenticate a user. At the end of the blog we will see how to perform authorization with spring security based on different roles.

Project Structure

Let us start our discussion with project structure, please go through the pom.xml file to get information regarding dependencies needed in spring-security. Setup a Simple Maven project and import it in Eclipse, and follow the step by step instructions mentioned below.

Database setup

As per spring security documentation, we need to create two suggested tables 'users' and 'user_roles' in database with exact datatypes and columns. Here is the script to create tables in DB.

Dependencies required for spring-security - pom.xml

Here is a list of all required dependencies that we need to add in pom.xml, to get spring security basic features all we need to do is to add 'spring-security-web' and 'spring-security-config' to pom.xml file.

\src\main\webapp\WEB-INF\web.xml

The very first thing we need to do is adding following filters to our web.xml. These filters tells the container that all upcoming requests will be handled by spring security for security purpose. DelegatingFilterProxy is a class present in spring-security jars which delegates control to a filter chaining defined in spring-security internals. Note that we have given the bean name as ‘springSecurityFilterChain’ one should not change the name of this bean as this is being configured by spring-security internal infrastructure. By adding these filters to web.xml now we are ready to configure security in the application.

\src\main\webapp\WEB-INF\security-config.xml

By adding filter to web.xml we are now able to configure security in our application, we can start with minimal http configuration for incoming requests. This tells that all upcoming requests which are matching to the pattern given in ‘pattern’ attribute will be secured bu spring-security and these requests will need ‘ROLE_USER’ role to access them. Here the thing to be noted is that ‘ROLE_’ prefix is a marker to define roles, ‘access’ attribute can accept a number of roles separated by a comma.
Regarding ‘’ we can have a number of different entries for different url’s, these entries will be evaluated in the order they are defined here. The very first match to the incoming request will be executed. We can also add a method attribute to limit the match to a particular HTTP method (GET, POST, PUT etc.).

\src\main\java\com\beingjavaguys\controller\LoginController.java

This is a simple Controller class with few request mappings in it, we have '/login' to redirect the user to login form along with custom messages if required. Another mapping id for admin page '/admin' and '/user' only logged in users with required 'USER_ROLES' will be able to see the pages.

\src\main\webapp\WEB-INF\pages\login.jsp

This is actual custom login form that will be rendered to the user to add credentials and log in to the application. In this file all we need to do is adding spring specific action 'j_spring_security_check' so that spring-security can intercept it and can authentication done.

\src\main\webapp\WEB-INF\pages\admin.jsp

This is another simple jsp file, this will be rendered to the browser if the user with 'ROLE_ADMIN' is logged in successfully. We have also added a logout link in the page, logout functionality to work onw has to make the spring specific link '/j_spring_security_logout'. By clicking the link spring-security will logged out the current logged in used.

\src\main\webapp\WEB-INF\pages\user.jsp

This is another simple jsp file, this will be rendered to the browser if the user with 'ROLE_USER' role is logged in successfully. We have also added a logout link in the page, logout functionality to work onw has to make the spring specific link '/j_spring_security_logout'. By clicking the link spring-security will logged out the current logged in used.

Here we are done with all required configurations, if everything goes right you will see below mentioned screens in your browser.

Authorization with spring security

Authentication means who can enter in the system based on their login credentials, whereas authorization tells the system that what are the authenticated users those can access a particular system functionality.

Trying to aceess '/admin' page, hit url "http://localhost:8080/SpringSecurityDemo/admin"
Spring security will redirect it to login page, because according to the interceptor configuration only a logged in user can view this page and that too having user role as 'ROLE_ADMIN'.

Lets try to login with 'robert' we know that 'robert' does not have 'USER_ADMIN' role, so there will be a '403' access denied error, this is what we called 'Authorization in Spring security'. Although 'robert' has valid login-password but cant view the url's whose role it does not have.

Now let us try to login again with 'andrew' credential, 'andrew' has required role i.e.'ROLE_ADMIN' to view '/admin' page so this will be a successful login and will be redirected to admin page.

This is all about ' Spring Security Authentication and Authorization Example with Database Credentials'. In upcoming blogs we will see more about Spring, Hibernate, Java and Other opensource technologies.

if some one could fix issue in this example Issue is if you give correct login ID & pwd for USER_ROLE from admin login it will give you are not authorized that is fine but at the same time if you hit user URL it will directly take you to user.jsp without any login page in between